[release-v0.42.2] chore(deps): bump tektoncd/pipeline to v1.9.3

[theakshaypant]

📝 Description of the Change

Addresses CVE-2026-40161 (GHSA-wjxp-xrpv-xpff), a high-severity vulnerability where the git resolver API mode leaks system-configured API tokens to user-controlled serverURL endpoints. Also includes path traversal hardening for volume mount validation using filepath.Clean.

🔗 Linked GitHub Issue

N/A

🧪 Testing Strategy

• Unit tests
• Integration tests
• End-to-end tests
• Manual testing
• Not Applicable

🤖 AI Assistance

AI assistance can be used for various tasks, such as code generation,
documentation, or testing.

Please indicate whether you have used AI assistance
for this PR and provide details if applicable.

• I have not used any AI assistance for this PR.
• I have used AI assistance for this PR.

Important

Slop will be simply rejected, if you are using AI assistance you need to make sure you
understand the code generated and that it meets the project's standards. you
need at least know how to run the code and deploy it (if needed). See
startpaac to make it easy
to deploy and test your code changes.

If the majority of the code in this PR was generated by an AI, please add a Co-authored-by trailer to your commit message.
For example:

Co-authored-by: Claude noreply@anthropic.com

✅ Submitter Checklist

• 📝 My commit messages are clear, informative, and follow the project's How to write a git commit message guide. The Gitlint linter ensures in CI it's properly validated
• ✨ I have ensured my commit message prefix (e.g., fix:, feat:) matches the "Type of Change" I selected above.
• ♽ I have run make test and make lint locally to check for and fix any
  issues. For an efficient workflow, I have considered installing
  pre-commit and running pre-commit install to
  automate these checks.
• 📖 I have added or updated documentation for any user-facing changes.
• 🧪 I have added sufficient unit tests for my code changes.
• 🎁 I have added end-to-end tests where feasible. See README for more details.
• 🔎 I have addressed any CI test flakiness or provided a clear reason to bypass it.
• If adding a provider feature, I have filled in the following and updated the provider documentation:
  • GitHub App
  • GitHub Webhook
  • Gitea/Forgejo
  • GitLab
  • Bitbucket Cloud
  • Bitbucket Data Center

[gemini-code-assist]

Code Review

This pull request updates the tektoncd/pipeline dependency from v1.9.2 to v1.9.3. The reviewer noted that go mod tidy should be run to address fragmented require blocks and ensure indirect dependencies are correctly updated. Additionally, a discrepancy was identified between the PR description, which mentions path traversal hardening, and the actual changes, which only reflect the dependency bump.

[gemini-code-assist]

It appears that go mod tidy was not run after updating the tektoncd/pipeline dependency. The go.mod file contains fragmented require blocks (e.g., lines 5, 49, and 83), and the go.sum file lacks updates for any indirect dependencies that may have changed with the new version. Please run go mod tidy to ensure the module files are consistent and correctly formatted.

[theakshaypant]

go mod tidy and make vendor was run before committing.

[gemini-code-assist]

The PR description mentions path traversal hardening for volume mount validation using filepath.Clean, but the current diff only contains a dependency bump. Please confirm if the updated dependency version resolves the security issue or if the intended code changes are missing. It is important to investigate if the issue is resolved by the dependency update itself before making further code changes.

References

1. Confirm dependency versions and investigate if security issues are resolved by the dependency update before making further code changes to avoid redundant work or false positives.

[theakshaypant]

The CVE is linked in the commit message along with the fix being present in pipeline:v1.9.3